CalOPPA applies to all commercial websites, online service providers and mobile application operators that collect personally identifiable information, such as first and last names and email addresses, from persons in California.[3] To comply with CalOPPA, the website, online service or mobile app operator must conspicuously post a privacy policy on its website and apps that (i) identifies what kind of personal information the operator collects, (ii) describes any processes that consumers may use to review and request changes to the personal information collected, (iii) describes the site's notification processes for any material changes to the operator's privacy policy, and (iv) indicates the effective date of the privacy policy.[4]

Last fall, CalOPPA was amended to require that operators disclose their response to browsers' do-not track signals.[5] These signals give consumers the option of avoiding the collection of personally identifiable information related to their online activities. The amendment also requires that privacy policies disclose whether third parties may collect personal information about a consumer's online activities over time and across sites, when the consumer visits the website or uses the online service.[6] An operator may comply with these amendments by either describing their response to do-not-track signals in their privacy policy, or by providing a clear and conspicuous hyperlink in its privacy policy to a separate page that contains a description of any program or protocol the operator follows that offers the consumer the do-not-track choice.[7] It is important to note that CalOPPA does not stipulate that companies respond a mandated way to do-not-track signals. Rather, the legislation only requires companies to disclose how they respond to such signals that indicate a consumer's choice not to be tracked. Since almost all website, online service, and mobile app operators collect information from individuals in California, nearly all companies are required to comply with this legislation. This recent guidance provides clarity and direction to these companies as they implement the requirements of CalOPPA.

The recent guidelines address five broad categories: (i) readability, (ii) accountability, (iii) individual choice and access, (iv) data use and sharing, and (v) online tracking. To promote readability, the guidelines recommend that the privacy policy be written in plain, straightforward language, using the active voice; operators may also want to consider providing their policies in multiple languages. Mobile app operators should also consider providing their privacy policies in smaller formats, to fit mobile screens, or in a layered format that highlights most relevant issues or information. To promote accountability, it is recommended that operators, at minimum, provide users with the title and email or postal address of a company official who is able to respond to privacy questions or concerns.

With respect to individual choice and access, the guidelines recommend that operators provide a clear description of the choices a consumer has regarding the collection, use and sharing of his or her personal information, and how they can exercise those choices. Operators are urged to offer users the opportunity to access, review and correct their personal information. When doing so, operators should properly authenticate any access right by verifying the user's identity before providing this sensitive personal information.

With respect to data use and sharing, operators are encouraged to explain to consumers (i) the use of personally identifiable information, (ii) practices regarding sharing of personally identifiable information, (ii) the link to the privacy policies of third parties with whom information is shared, and (iv) the retention period for each type or category of personally identifiable information that is collected. At a minimum, the guidelines recommend that the operator list the different types or categories of companies with which the operator shares the customer's personal information.

Finally, with respect to online tracking, it is recommended that operators (i) clearly identify the section of their policy regarding online tracking; (ii) describe how the site or app responds to a browser's do-not-track signal or other similar mechanism; and (iii) disclose the presence of any other parties that collect personally identifiable on the site or service. Operators should consider whether they treat consumers whose browsers send a do-not-track signal differently from consumers without such a device, and whether information is collected over time and across third party websites or online services even where the operator receives a do-not-track signal. If so, the operator should describe the use of such information. If other parties are present on the operator's site or service, the guidelines suggest that operators consider whether third parties are approved prior to collecting personally identifiable information from consumers who visit the site or service, and how the operator verifies that any authorized third parties are not bringing other, unauthorized parties to the site or service to collect personally identifiable information. Operators should also consider whether authorized third-party trackers comply with the operator's privacy policy, and if not, what the impact of this is and how to rectify any potential exposure.

Although the California guidelines do not bind operators or developers, the guidelines provide important insight on the concerns of the regulators and how to comply with the state's broad-reaching do-not-track legislation. We recommend that website, online service and mobile app operators review their data collection practices and online or mobile privacy policies to ensure that they comply with the guidelines as set forth by the California Attorney General. Companies should also take these guidelines into consideration in the future, when developing and rolling out additional online products that include online tracking software.

Data privacy and protection is an increasing concern for consumers and regulators, and a rapidly expanding area of the law. Companies should closely monitor enforcement actions and any future published guidance concerning privacy policy disclosures, especially recommendations from states such as California, which are at the forefront of privacy related legislation.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.